NTLM vs Kerberos

Hi,

With regard to RDP specifically, NTLM relaying is not an issue, especially if you enforce Extended Protection for Authentication: https://msrc-blog.microsoft.com/2009/12/08/extended-protection-for-authentication/

This is because one cannot simply relay the CredSSP exchange used in RDP NLA: the authentication sequence is cryptographically bound to the underlying TLS connection.

Now back to NTLM relay issues affecting protocols other than RDP: various NTLM features can be enforced, but by all means disable NTLM if possible. I have no idea if it possible to selectively enforce Kerberos everywhere except RDP, but that would be ideal to avoid trouble.

Are you using RDM Windows with the Microsoft RDP ActiveX, or FreeRDP? If quick connect works with Kerberos enforced, then Kerberos works (obviously). The FreeRDP engine on Windows specifically *should* work but it's something I haven't tried in a long time, so I would recommend using the Microsoft RDP ActiveX, unless you have a specific reason for using FreeRDP.

Can you provide more details on the error that happens when using saved credentials? Does it simply reject the credentials and prompts them again? I get the feeling that if saved credentials are rejected yet you can still connect by entering the credentials manually, it could be an issue unrelated to Kerberos. Some servers can be configured to reject saved credentials (annoying, but it happens).

Best regards,